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Abstract 

Homeland  security  of  the  United  States  is  constantly  under  threat  of  attack  from 
terrorist  organizations.  A  viable  and  current  terrorist  threat  is  the  use  of  unmanned  aerial 
vehicles  (UAVs)  as  weapons  of  mass  destruction.  These  UAVs  can  be  built  simply  and 
cheaply  from  commercial  off  the  shelf  (COTS)  parts  and  are  typically  controlled  using 
standard  radio  control  (RC)  technology.  An  emerging  technology  that  is  being 
implemented  to  control  and  communicate  with  UAVs  is  the  802.1 1  wireless  network 
protocol  or  Wi-Fi. 

This  project  discusses  various  portions  of  the  Wi-Fi  protocol  and  analyzes  the 
protocol  to  determine  techniques  for  first  detecting  and  then  defeating  wireless  networks 
utilizing  the  protocol  through  denial  or  deception.  The  first  set  of  techniques  presented 
defeats  a  network  through  denial.  These  denial  techniques  are  divided  into  two 
categories:  broad  area  denial  techniques  and  specific  network  denial  techniques.  After 
denial  techniques  are  discussed  a  process  for  deceiving  an  802.1 1  wireless  network  is 
presented. 
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DEFEATING  802.1 1  WIREEESS  NETWORKS 


I.  Introduction 


Background 

On  a  cold  crisp  October  night  in  Detroit,  Miehigan,  Comeriea  Park  is  paeked  with 
42,000  fans  as  the  Tigers  are  nearing  vietory  over  the  St.  Eouis  Cardinals  in  game  five  of 
the  World  Series.  The  erowd  is  eompletely  unaware  of  the  approaehing  danger  as  several 
small  unmanned  aerial  vehieles  (UAVs)  are  launehed  from  surrounding  parks  and  fields. 
With  just  over  a  mile  to  go  to  their  target,  and  with  speeds  over  80mph,  the  4  UAVs  are 
at  the  edge  of  the  stadium  within  75  seeonds  after  launeh.  The  first  of  the  UAVs  elips  a 
light  post  as  it  dives  into  the  stadium  and  seatters  parts  over  the  erowd.  The  Cardinals 
dugout  however,  takes  a  direet  hit  with  the  seeond  plane  exploding  about  10  feet  above 
the  ground  and  seattering  a  fine  white  dust  over  the  players,  eoaehes  and  staff.  Another 
UAV  flies  north  towards  the  main  upper  deek  and  dispenses  the  same  white  eloud  of  dust 
as  it  explodes  halfway  up  the  stands.  The  last  UAV  misses  the  stadium  altogether  and 
erashes  direetly  into  Interstate  75,  just  north  of  the  ballpark. 

Nobody  is  seriously  injured  in  the  attaeks,  but  the  ensuing  panie  results  in  17 
deaths  and  over  100  injured  as  the  fans  trample  one  another  attempting  to  flee  the 
stadium.  That  evening,  the  assoeiated  press  (AP)  is  inundated  with  emails  from  the  East 
Turkestan  Islamie  Movement  (ETIM)  elaiming  responsibility  and  threatening  a  similar 
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attack  in  two  days  at  game  six  in  St.  Louis  unless  all  Uyghur  detainees  are  released  from 
captivity  at  Guantanamo.  The  powder  dispensed  by  the  UAVs  is  found  to  be  innocuous, 
but  ETIM  promises  to  deliver  a  true  biologicabchemical  attack  if  their  demands  are  not 
met. 

Although  the  events  that  occur  in  this  scenario  are  fictitious,  they  represent  a 
viable  and  current  threat.  Using  eommon  off  the  shelf  (COTS)  parts  terrorist 
organizations  have  the  willingness  and  eapability  to  produce  UAVs,  like  the  ones  used  in 
the  scenario,  as  effective  weapons  of  terror  or  worse,  as  weapons  of  mass  destruction. 

Black  Dart 

To  analyze  this  threat,  the  Defense  Intelligence  Ageney  (DIA)  organized  the  first 
Black  Dart  project  in  2003.  Black  Dart  is  an  annual  exercise  held  at  China  Lake  Naval 
Air  Weapons  Station  which  investigates  the  threat  of  UAVs  and  also  the  capabilities  to 
eounter  the  UAV  threat.  In  2005,  a  team  consisting  of  members  from  the  Air  Foree 
Researeh  Laboratory  (AFRL)  and  Aeronautieal  Systems  Center  (ASC)  partieipated  in 
Black  Dart  III  (BD  III)  (AFRL  and  ASC  2005:2). 

The  primary  objective  of  BD  III  was  to  assess  the  threat  of  an  adversary’s  ability 
to  design  and  construct  a  system  that  eould  attack  a  specific  object  or  person  on  the 
ground  using  a  small  UAV  built  from  COTS  parts.  The  threat  that  the  AFRL/ASC  team 
decided  upon  for  BD  III  consisted  of  multiple  identical  “cruise  missile”  type  vehicles 
where  the  vehicles  themselves  were  the  weapons  as  opposed  to  delivering  a  separate 
weapon.  The  mission  profiles  of  the  strategy  that  the  team  used  consisted  of  three 
phases;  launch,  cruise,  and  terminal  (AFRL  and  ASC  2005:6-7). 
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In  the  launch  phase,  multiple  UAVs  would  be  launched  in  a  coordinated  attack 
most  likely  from  a  single  launch  site.  A  single  launch  was  decided  to  be  the  best  plan  of 
action  since  the  footprint  was  smaller  and  the  chances  of  being  discovered  prior  to  launch 
were  decreased.  A  single  launch  site  also  has  the  advantage  of  selecting  from  multiple 
different  sites  to  take  advantage  of  weather  factors,  such  as  winds,  or  to  avoid  areas  that 
may  have  unanticipated  increased  security.  During  the  cruise  and  terminal  phases  of  the 
flight  profde,  the  UAVs  are  flown  actively  to  their  target,  passively/autonomously  using 
an  onboard  integrated  INS/GPS,  or  a  combination  of  both  techniques  to  provide  guidance 
to  the  target  area.  Guidance  during  the  cruise  phase  can  be  fairly  inaccurate  to  achieve 
the  objectives  of  the  phase.  However,  during  the  terminal  phase  of  the  attack,  more 
precision  would  be  required  to  ensure  that  the  vehicle  is  flown  to  the  precise  desired 
location.  The  best  way  to  achieve  this  precision  is  through  the  use  of  video  signals  sent 
from  the  vehicle.  These  video  signals  provide  the  pilot  of  the  vehicle  a  first  person  view 
of  the  craft’s  flight  path  (AFRL  and  ASC  2005:13-15). 

Currently  most  COTS  parts  and  accessories  for  radio  controlled  (RC)  aircraft 
utilize  basic  radio  frequency  (RF)  signals  set  to  one  frequency  to  control  the  aircraft  and 
to  receive  video  signals  from  any  onboard  cameras.  The  aircraft  receives  control  inputs 
from  a  transmitter  on  a  single  frequency  using  either  Pulse  Position  Modulation  (PPM), 
which  sends  signals  to  the  aircraft  based  on  the  length  of  time  the  transmitter  is  on  during 
a  certain  time  slot,  or  Pulse  Code  Modulation  (PCM),  which  uses  binary  codes  to  control 
the  aircraft.  These  systems  are  susceptible  to  interference  from  other  signals  generated 
on  the  same  frequency  and  are  limited  in  range  due  to  line  of  sight.  Some  newer  RC 
aircraft  are  using  spread  spectrum  technology  to  send  signals  to  the  aircraft.  This 
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technology  encodes  the  signal  being  sent  from  the  transmitter  to  the  aircraft  so  that  the 
signal  is  largely  indiscernible  from  other  noise  in  the  same  frequency  band.  Although 
spread  spectrum  decreases  the  chances  of  interference  to  almost  zero,  line  of  sight 
between  the  transmitter  and  receiver  is  still  required. 

In  the  not  so  distant  future,  controlling  and  receiving  video  signals  from  a 
commercially  built  RC  aircraft  will  not  be  limited  by  line  of  sight.  RC  aircraft  of  the 
future  will  have  the  ability  to  be  controlled  and  communicate  via  wireless  network 
infrastructures  that  exist  today.  The  purpose  of  this  paper  is  to  discuss  techniques  to 
defeat  or  disrupt  wireless  data  streams  of  the  802. 1 1  wireless  network  architecture.  The 
802.1 1  wireless  network  protocol  was  chosen  since  this  architecture  has  a  longer  range 
capability  than  other  architectures,  such  as  802.15  (Bluetooth),  and  is  currently  the  most 
more  widely  used  wireless  network  protocol.  Although  the  UAV  threat  was  the 
motivation  for  this  project,  the  techniques  presented  in  this  project  can  be  used  to  defeat 
any  802.1 1  wireless  network. 

Chapter  2  provides  an  overview  of  the  most  widely  used  wireless  network 
architecture  being  used  today;  802.1 1  (Wi-Fi).  This  overview  will  discuss  how  data  is 
transmitted  to  and  from  users,  security  measures  that  can  be  implemented  in  the 
architecture,  and  lastly  the  structure  of  the  data  frames  that  are  used  in  the  protocol. 
Chapter  3  will  define  steps  to  take  in  order  to  defeat  an  802.1 1  wireless  network.  These 
steps  will  discuss  various  techniques  for  defeating  a  wireless  network  through  denial  and 
deception.  Lastly,  chapter  4  will  conclude  the  project  with  a  summary. 
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II,  Literature  Review 


Internet  Access 

There  are  basieally  three  ways  a  user  ean  aeeess  the  internet  from  home  or  work. 
The  first  and  earliest  way  is  through  dial-up  aeeess.  This  type  of  aeeess  is  usually  very 
slow  sinee  it  utilizes  standard  telephone  lines  which  are  limited  in  their  capacity  to  carry 
digital  information.  Typically  users  who  still  access  the  internet  through  a  dial-up 
connection  have  no  other  way  to  connect  to  the  information  super  highway.  The  next 
way  to  access  the  internet  is  through  a  broadband  connection.  Examples  include  Digital 
Subscriber  Line  (DSL)  or  a  cable  modem.  Although  faster  than  dial-up,  this  type  of 
access  is  still  limited  by  requiring  the  user  to  use  a  physical  cable  to  connect  to  the 
network.  The  last  and  most  recent  addition  to  the  internet  access  options  is  a  wireless 
connection.  With  this  type  of  access  a  user  can  connect  from  nearly  any  location  as  long 
as  they  are  within  the  signal  range  of  a  wireless  access  point.  Within  this  access  type 
there  are  three  standards  that  users  and  devices  can  use  to  communicate  with  each  other 
and  the  internet. 

The  first  of  these  standards  is  the  Institute  of  Electrical  and  Electronics  Engineers 
(IEEE)  802.15  standard  or  more  commonly  known  as  Bluetooth.  Bluetooth  operates  over 
a  short  range,  at  low  power,  and  at  a  low  cost.  This  type  of  network  is  sometimes 
referred  to  as  a  wireless  personal  area  network,  (WPAN)  due  to  its  very  short  range.  The 
second  wireless  network  standard  is  the  IEEE  802.1 1  standard  or  more  commonly  known 
as  Wi-Ei.  Wi-Ei  provides  greater  distances,  typically  a  couple  hundred  feet,  or  perhaps 
miles  when  using  directional  antennas  (Kurose  2007:544).  With  these  greater  distances 
Wi-Ei  is  typically  used  in  conjunction  with  local  area  networks  (LAN).  The  final 
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wireless  network  standard  is  the  IEEE  802.16  standard  which  is  more  commonly  known 
as  WiMAX.  WiMAX  provides  even  greater  distances  than  Wi-Ei  with  the  capability  to 
provide  internet  access  to  users  within  3000  square  miles  of  a  WiMAX  access  point 
(Grabinowski,  undated). 

The  two  wireless  standards  that  have  the  capability  to  provide  signals  to  a  mobile 
user  or  device  over  great  distances  are  Wi-Ei  and  WiMAX.  However,  WiMAX  is  a  fairly 
new  system  and  is  not  highly  proliferated.  This  next  section  will  provide  an  overview  of 
the  Wi-Ei  protocol.  The  majority  of  the  information  in  this  next  section  was  taken  from 
the  book  Computer  Networking:  A  Top-Down  Approach,  by  James  E.  Kurose  and  Keith 
W.  Ross. 

Wi-Fi  Standards 

In  the  early  90s,  there  were  many  wireless  EAN  technologies  and  standards  being 
developed.  The  winner  that  emerged  from  this  battle  was  the  802. 1 1  Wi-Ei  standard. 
There  are  many  802.1 1  standards  that  are  in  use  today,  with  the  most  prevalent  being 
802.1  lb,  802.1  la,  and  802.1  Ig.  The  difference  between  these  standards  is  shown  in 
Table  1 .  802. 1  lb  has  a  data  rate  of  only  1 1  Mbps  and  operates  in  the  unlicensed  2.4  GHz 
band  and  competes  with  other  devices  in  this  band  such  as  cord  less  phones  and 
microwave  ovens.  802. 11a  achieves  a  higher  bit  rate  but  in  a  higher  frequency  band. 

This  higher  frequency  decreases  the  transmission  distance  of  the  signal.  The  802. 1  Ig 
standard  operates  in  the  lower  frequency  band  while  providing  the  higher  bit  rate  offered 
by  802.11a  (Kurose,  2007:527). 
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Table  1.  Summary  of  IEEE  802.11  Standards 


Standard 

US  Freq.  Range 

Data  Rate 

802.11b 

2.4-2.485  GHz 

Up  to  1 1  Mbps 

802.11a 

5. 1-5.8  GHz 

Up  to  54  Mbps 

802.11g 

2.4-2.485  GHz 

Up  to  54  Mbps 

Wi-Fi  Architecture 

The  basic  building  block  of  the  802.1 1  architecture  is  called  the  basic  service  set 
(BSS).  Central  to  a  BSS  is  the  base  station,  also  known  as  an  access  point  (AP).  The  AP 
is  typically  connected  via  a  network  cable  to  a  router  which  is  then  connected  to  the 
internet.  Wireless  stations  are  also  a  fundamental  part  of  the  BSS.  These  wireless 
stations  are  typically  the  end-user  devices  that  connect  to  the  AP,  such  as  a  personal 
digital  assistant  (PDA)  or  a  laptop  computer.  Just  like  in  a  wired  LAN,  each  wireless 
station  interface  has  an  associated  6-byte  Medium  Access  Control  (MAC)  address  as  well 
as  the  interface  for  the  AP  (Kurose,  2007:527).  Figure  1  shows  a  typical  802.1 1 
architecture. 

The  architecture  shown  in  Figure  1  is  typically  referred  to  as  an  infrastructure 
wireless  LAN.  The  infrastructure  is  the  APs  and  the  wired  internet  structure  associated 
with  this  network.  Typically  wireless  infrastructure  LANs  are  limited  to  a  couple  BSS 
that  can  cover  the  area  of  a  large  building  such  as  an  airport  or  a  university.  However, 
some  cities  in  the  United  States,  such  as  Philadelphia,  are  undergoing  ambitious  plans  to 
have  one  large  LAN  cover  an  entire  metropolitan  area.  The  project  in  Philadelphia, 
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called  Wireless  Philadelphia,  plans  to  eover  over  135  square  miles  (Merritt,  2005).  The 
BSS  of  a  wireless  LAN  ean  also  be  extended  out  over  a  great  distanee  using  direetional 
antennas.  During  the  DEFCON  Wi-Fi  Shootout  2005,  a  team  of  amateur  radio  operators 
suecessfully  established  an  unamplified  802. 1  lb  link  over  a  distance  of  124.9  miles.  This 
link  required  large  antennas  on  both  ends  of  the  link  and  also  required  line  of  sight 
between  the  two  antennas,  but  proved  that  unamplified  802. 1 1  signals  can  be  sent  over 
long  distanees  using  direetional  antennas  (Keeney,  undated). 

Wi-Fi  wireless  stations  also  have  the  eapability  to  conneet  direetly  to  one  another 
and  exehange  data  in  what  is  called  an  ad-hoe  network.  An  ad-hoe  network  has  no 
eentral  AP  and  with  no  wireless  connections  to  the  larger  internet  (Kurose,  2007:527). 
Due  to  the  limited  range  of  ad-hoe  networks,  the  Wi-Fi  diseussion  will  foeus  on  the 
802.11  infrastrueture  mode. 

Connecting  to  an  AP 

Before  a  wireless  station  can  send  or  reeeive  any  network  data,  the  station  first 
needs  to  assoeiate  with  an  AP.  When  an  AP  is  initially  setup,  a  Serviee  Set  Identifier 


(SSID)  and  frequency  is  assigned  to  the  AP.  In  the  802.1 1  standards  that  operate  in  the 
2.4  GHz  to  2.485  GHz  range,  there  are  1 1  overlapping  channels.  Channels  are 
non-overlapping  when  they  are  separated  by  four  or  more  channels.  The  only  set  of  three 
non-overlapping  channels  are  1,  6,  and  11  (Kurose,  2007:529).  The  802.11  standard 
requires  that  an  AP  send  out  beacon  frames  periodically.  These  beacon  frames  include 
the  AP’s  SSID  and  MAC  address.  A  wireless  station  listens  over  all  1 1  channels  for 
these  beacon  frames  that  are  being  broadcasted.  Typically,  if  a  wireless  station  is  set  to 
automatically  connect  to  any  AP,  the  station  will  attempt  to  connect  to  the  AP  that  has  the 
strongest  signal.  The  wireless  station  then  transmits  an  association  request  frame  to  the 
AP.  The  AP  then  responds  with  an  association  response  frame.  This  process  of  listening 
for  beacon  frames  and  associating  is  also  called  passive  scanning.  In  active  scanning,  the 
wireless  station  broadcasts  a  probe  frame  that  is  received  by  all  the  APs  within  the  range 
of  the  wireless  station.  The  APs  then  respond  to  the  wireless  station  with  a  probe 
response  frame.  Then  the  wireless  station  decides  which  responding  AP  to  associate 
with.  Figure  2  provides  a  graphical  representation  of  passive  and  active  scanning.  After 
the  wireless  station  is  associated  with  an  AP,  the  station  will  attempt  to  join  the  subnet  of 
the  AP.  This  is  typically  done  using  the  dynamic  host  configuration  protocol  (DHCP) 
(Kurose,  2007:530).  During  the  association  process,  the  wireless  station  may  be  required 
to  authenticate  itself  to  the  AP.  There  are  many  approaches  to  authentication,  such  as 
permitting  access  based  on  the  wireless  station’s  MAC  address  or  requiring  the  use  of 
usernames  and  passwords.  A  more  in  depth  discussion  of  authentication  techniques  will 
be  discussed  in  the  Wi-Fi  security  section. 
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BBS  1 


BBS  2 


BBS  1 


BBS  2 


a.  Passive  scanning 

1.  Beacon  frames  sent  from  APs 

2.  Association  Request  frame  sent: 
HI  to  selected  AP 

3.  Association  Response  frame  sent: 
Selected  AP  to  HI 


a.  Active  scanning 

1.  Probe  Request  frame  broadcast  from  HI 

2.  Probes  Response  frame  sent  from  APs 

3.  Association  Request  frame  sent: 

HI  to  selected  AP 

4.  Association  Response  frame  sent: 
Selected  AP  to  HI 


Figure  2.  Wireless  Station  Active  and  Passive  Scanning  (Kurose,  2007:531) 

Wi-Fi  MAC  Protocol 

After  a  wireless  station  is  assoeiated  with  an  AP  and  has  sueeessfully  joined  the 
subnet  of  the  AP,  the  station  ean  then  start  sending  and  reeeiving  data  frames  to  the  AP. 
However,  like  with  a  wired  medium  sueh  as  Ethernet,  multiple  wireless  stations  (or  even 
other  APs)  may  be  attempting  to  send  and  reeeive  data  to  the  same  AP.  This  dilemma 
requires  a  multiple  aeeess  protoeol.  The  802. 1 1  standard  follows  the  preeedent  set  by 
Ethernet  and  uses  a  random  aeeess  protoeol.  Eor  Wi-Ei,  this  protoeol  is  ealled  earrier 
sense  multiple  aeeess  (CSMA).  The  term  earrier  sense  means  that  eaeh  wireless  station 
senses  the  ehannel  before  transmitting  and  subsequently  avoids  transmitting  when  the 
ehannel  is  sensed  busy.  Although  both  Ethernet  and  802.1 1  use  CSMA,  Ethernet  uses 
eollision  deteetion  (CSMA/CD)  teehniques  where  as  802.1 1  uses  eollision  avoidanee 
teehniques  (CSMA/CA)  (Kurose,  2007:532). 
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There  are  two  main  reasons  that  802.1 1  uses  eollision  avoidanee  rather  than 


collision  detection  like  Ethernet.  The  first  reason  is  that  the  ability  to  detect  collisions 
requires  the  transmitting  node  to  send  and  receive  at  the  same  time.  Typically,  received 
signals  are  much  weaker  than  transmitted  signals.  To  be  able  to  detect  a  received  signal 
while  transmitting  would  require  a  wireless  card  to  have  one  antenna  for  transmitting  and 
another  for  receiving.  This  would  be  cost  prohibitive.  The  second  reason,  and  most 
importantly,  is  that  even  if  the  wireless  card  could  transmit  and  receive  at  the  same  time, 
there  is  still  no  assurance  that  the  card  would  be  able  to  detect  all  collisions,  due  to  a 
situation  called  the  hidden  terminal  problem  (Kurose,  2007:532).  The  hidden  terminal 
problem  is  when  two  or  more  wireless  stations  associated  with  an  AP  can  transmit  and 
receive  data  to  the  AP,  but  are  too  far  apart  from  each  other  to  detect  the  other  station’s 
signals.  Figure  3  gives  an  example  of  the  hidden  terminal  problem. 

In  Figure  3,  the  wireless  stations  located  at  HI  and  H2  are  associated  with  the  AP 
located  in  the  middle  and  have  no  problem  sending  and  receiving  signals  from  the  AP. 


Figure  3.  Hidden  Terminal  Problem  (Kurose,  2007:535) 
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However,  the  two  wireless  stations  are  unable  to  reeeive  signals  transmitted  by  the  other 
wireless  station. 

Since  the  802.1 1  multiple  access  protocol  of  CSMA/CA  does  not  use  collision 
detection,  the  wireless  station  will  transmit  the  entire  data  frame  once  it  starts 
transmitting.  Due  to  the  high  bit  error  rates  associated  with  a  wireless  channel,  802.1 1 
also  uses  a  link-layer  acknowledgement  scheme.  When  the  AP  receives  a  frame  that 
passes  the  cyclic  redundancy  check,  the  AP  then  waits  a  small  amount  of  time  and  then 
sends  back  an  acknowledgement  frame.  This  wait  time  is  known  as  the  Short  Inter-frame 
Spacing  (SIFS).  If  the  wireless  station  that  transmitted  the  frame  does  not  receive  the 
acknowledgement  from  the  AP  within  a  specified  amount  of  time,  the  wireless  station 
assumes  that  an  error  occurred  and  retransmits  the  entire  frame  again,  using  the 
CSMA/CA  protocol.  If  the  wireless  station  does  not  receive  the  acknowledgement  frame 
from  the  AP  after  a  set  number  of  retransmissions,  the  transmitting  station  gives  up  and 
discards  the  frame  (Kurose,  2007:533). 

Now  that  the  Wi-Fi  link-layer  acknowledgement  scheme  has  been  explained,  the 
CSMA/CA  protocol  can  be  discussed.  The  following  scenario  presents  the  steps  that  are 
taken  when  a  wireless  station  or  AP  (a  node)  attempts  to  transmit  a  frame  to  another  AP: 

1 .  The  node  first  senses  the  channel  to  determine  if  it  is  idle  or  busy. 

2.  If  the  channel  is  idle,  the  node  transmits  the  entire  frame  after 
waiting  a  specified  amount  of  time  called  the  Distributed  Inter-frame 
Space  (DIFS). 
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3.  If  the  channel  is  sensed  busy,  the  node  backs  off  and  waits  for  a 
random  amount  of  time.  This  waiting  time  starts  once  the  channel  is 
sensed  idle  and  freezes  when  the  channel  is  sensed  busy. 

4.  Once  the  wait  time  expires,  which  can  only  occur  when  the 
channel  is  idle,  the  node  then  transmits  the  entire  frame  and  then  waits 
for  the  acknowledgement  frame. 

5.  If  an  acknowledgement  is  received,  the  node  knows  that  the  frame 
was  correctly  received  by  the  AP.  The  node  transmits  the  next  frame, 
if  required,  starting  at  step  3  of  the  protocol.  Without  an 
acknowledgement,  the  node  goes  to  step  3  as  well,  but  with  a  longer 
interval  (Kurose,  2007:534).  Figure  4  shows  an  example  of  the  802.1 1 
link-layer  acknowledgment  scheme. 


Source 


Destination 


▼ 


Figure  4.  802.11  Link-Layer  Acknowledgements  (Kurose,  2007:533) 
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From  these  steps  one  can  see  how  the  802.1 1  CSMA/CA  protocol  avoids 
collisions,  rather  than  detecting  them.  For  example,  if  two  nodes  want  to  transmit  a 
frame  but  they  sense  that  the  channel  is  busy,  they  both  wait  a  random  amount  of  time 
before  transmitting.  Statistically,  the  random  wait  times  should  be  different.  When  the 
channel  becomes  idle,  the  node  with  the  shorter  wait  time  will  begin  transmitting.  The 
other  node  will  sense  that  the  first  node  is  transmitting  and  then  freeze  its  wait  time 
counter  (Kurose,  2007:534).  In  this  scenario  a  collision  is  avoided  if  the  competing 
nodes  are  able  to  sense  each  others  signals.  However,  there  is  still  the  hidden  terminal 
problem. 

Recall  that  the  hidden  terminal  problem  occurs  when  two  nodes  can  sense  signals 
from  the  AP  but  are  far  enough  apart  that  they  cannot  detect  each  other’s  signals.  If  a 
node  cannot  detect  if  the  channel  is  busy,  it  will  not  be  able  to  avoid  collisions.  To  help 
solve  the  hidden  terminal  problem,  the  802.1 1  standard  has  an  optional  reservation 
scheme  that  helps  avoid  collisions  in  this  situation.  In  this  reservation  scheme,  the  Wi-Fi 
protocol  has  the  transmitting  wireless  station  or  AP  sends  out  a  Request  to  Send  (RTS) 
control  frame  to  the  receiving  AP  prior  to  transmitting  any  data.  This  RTS  frame 
indicates  the  total  time  that  the  transmitting  node  requires  to  transmit  the  entire  data 
frame  and  to  subsequently  receive  the  acknowledgement  frame.  The  receiving  AP, 
assuming  the  RTS  frame  was  received,  replies  by  broadcasting  a  Cleared  to  Send  (CTS) 
frame.  The  CTS  frame  gives  the  sending  node  permission  to  send  its  data  frame  and  also 
alerts  any  other  nodes  to  not  send  data  during  the  reserved  time  period.  This  RTS/CTS 
exchange  process  is  typically  only  used  to  reserve  the  channel  for  the  transmission  of 


14 


large  data  frames.  Sinee  the  RTS/CTS  exehange  is  optional,  if  it  is  being  used,  a  wireless 
station  or  AP  ean  set  an  RTS  threshold  size  so  that  the  RTS/CTS  exehange  only  oeeurs 
when  the  frame  is  larger  than  the  threshold  size.  Usually,  a  wireless  station  has  the  RTS 
threshold  value  set  to  be  larger  than  the  maximum  frame  size,  whieh  means  that  the 
RTS/CTS  exehanged  is  omitted  eompletely  (Kurose,  2007:535-537).  Now  that  the  basie 
protoeols  used  by  802.1 1  are  defined,  the  next  seetion  will  explain  802.1 1  seeurity. 

802,11  Security 

In  a  elosed  data  network,  data  is  transmitted  between  nodes  through  a  wired 
medium.  In  order  for  an  outside  party  to  be  able  to  view  or  intereept  data  between  nodes, 
the  other  party  would  need  to  be  loeated  in  the  wired  medium  between  the  two 
communicating  nodes.  In  a  wireless  network,  the  medium  is  the  free  space  radio 
channels  between  nodes.  Unlike  a  wired  medium,  data  frames  transmitted  via  a  wireless 
network  can  be  viewed  and  intercepted  by  anyone  capable  of  receiving  the  signal.  For 
this  reason  a  layer  of  security  is  required  in  order  to  encrypt  data  between  nodes.  There 
are  many  security  techniques  that  can  be  implemented  in  the  802. 1 1  standard.  Explaining 
all  of  the  different  techniques  that  exist  would  require  a  separate  dedicated  paper.  This 
project  will  discuss  two  of  the  most  widely  used  802.1 1  security  schemes  in  small  office 
and  home  networks;  Wired  Equivalent  Privacy  (WEP)  and  Wi-Ei  Protected  Access 
(WPA). 

The  security  standard  that  was  initially  defined  in  the  IEEE  802.1 1  standard  is 
known  as  WEP.  The  WEP  security  protocol  provides  authentication  and  encryption 
between  wireless  stations  and  the  AP  using  a  symmetric  shared  key  method.  In  this 
protocol  the  AP  and  the  wireless  station  need  to  agree  on  a  40-bit  or  104-bit  symmetric 
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key  using  an  out-of-band  method,  such  as  encrypted  e-mail,  standard  post  office  mail, 
telephone  call,  etc.  The  following  defines  the  basic  steps  in  the  WEP  protocol  during  the 
authentication  process. 


1 .  A  wireless  station  transmits  an  authentication  frame  to  an  AP. 

2.  The  AP  responds  to  the  authentication  frame  with  a  128-byte 
nonce  value. 

3.  The  wireless  station  then  encrypts  the  nonce  using  the  shared  key 
and  transmits  back  to  the  AP. 

4.  The  AP  then  decrypts  the  encrypted  nonce.  If  the  nonce  matches 
the  original  nonce  sent  by  the  AP  then  the  wireless  station  is 
authenticated  (Kurose,  2007:733). 

The  data  encryption  algorithm  used  in  the  above  authentication  process  and  for 
data  encryption  is  described  in  the  following  list. 

1 .  A  4-byte  cyclical  redundancy  check  (CRC)  value  is  computed  for 
the  data  payload. 

2.  The  payload  and  the  CRC  are  then  encrypted  using  the  RC4  cipher. 

The  RC4  cipher  is  given  a  64-bit  key;  the  algorithm  then  produces  a 
stream  of  key  values  that  are  used  to  encrypt  the  data  and  CRC  value 
in  the  frame.  The  64-bit  key  is  the  40-bit  symmetric  key  with  a  24-bit 
Initialization  Vector  (IV)  appended.  The  IV  changes  for  each  frame 
and  is  in  plaintext  in  the  header  of  each  WEP  encrypted  frame. 

3.  The  receiving  node  creates  the  64-bit  key  using  the  shared  40-bit 
symmetric  key  and  adding  the  24-bit  IV  located  in  the  header. 
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4.  The  receiving  node  then  decrypts  the  frame  using  the  64-bit  key 


(Kurose,  2007:733-734). 

5.  Since  WEP  was  the  first  attempt  at  a  wireless  security  standard,  there  are 
inherent  flaws  in  the  algorithm  which  make  cracking  the  symmetric  key 
feasible.  These  flaws  and  the  techniques  to  exploit  them  will  be  discussed 
later  in  this  project. 

The  IEEE  solution  to  the  weak  security  of  802. 1 1  WEP  is  the  802. 1 1  i  standard. 
As  with  all  standards,  issuance,  ratification,  and  implementation  by  the  users  of  the 
standard  can  take  years.  In  order  to  bridge  the  gap  between  the  weak  security  of  the 
802. 1 1  WEP  and  the  stronger  security  of  802.  Hi,  WPA  was  implemented  as  an  interim 
upgrade  to  existing  802.1 1  devices  and  also  provides  compatibility  with  the  802.1  li 
standard.  Table  2  shows  a  comparison  of  the  WEP  and  WPA  protocols. 

Table  2.  WEP  vs.  WPA  comparison 


WEP 

WPA 

Encryption 

Elawed,  cracked 

Eixes  all  WEP  flaws 

40-bit  &  104-bit  keys 

128-bit  keys 

Static  -  same  key  used  by 
everyone  on  the  network 

Dynamic  session  keys.  Per 
user,  per  session,  per  packet 
keys 

Manual  distribution  of  keys 
-  hand  typed  into  each 
device 

Automatic  distribution  of 
keys 

Authentication 

Elawed,  used  WEP  key 
itself  for  authentication 

Strong  user  authentication, 
utilizing  802.  IX  and 
Extensible  Authentication 
Protocol  (EAP) 
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One  of  the  biggest  differences  between  WEP  and  WPA  is  that  WPA  uses  a  larger 
128-bit  key.  More  importantly,  WPA  uses  dynamic  session  keys,  has  a  mechanism  for 
automatically  distributing  the  keys,  and  employs  stronger  authentication  protocols.  These 
WPA  improvements,  however,  only  exist  in  large  networks  where  an  authentication 
server  is  utilized.  Small  office  and  home  users  utilizing  WPA  still  are  required  to  use  a 
pre-shared  static  key  (PSK)  that  needs  to  be  input  into  the  AP  and  the  wireless  stations 
that  communicate  with  the  AP.  The  PSK  and  the  SSID  in  the  WPA  protocol  are  used  to 
compute  the  Pairwise  Master  Key  (PMK).  Using  the  PMK,  rather  than  the  PSK,  these 
small  network  users  obtain  more  security  through  the  use  of  the  WPA  Temporal  Key 
Integrity  Protocol  (TKIP). 

TKIP  is  a  collection  of  algorithms  created  to  fix  the  security  problems  of  WEP 
while  also  maintaining  backward  compatibility  with  older  hardware.  TKIP  basically 
provides  additional  security  by  offering  an  additional  protocol  around  WEP.  The 
following  list  defines  the  elements  of  TKIP: 

1 .  A  Message  Integrity  Code  (MIC)  is  a  cryptographic  checksum 
using  the  source  and  destination  MAC  addresses  and  the  plaintext  data 
of  the  802.1 1  frame.  The  MIC  protects  against  forgery  attacks. 

2.  Countermeasures  that  bound  the  probability  of  successful  forgery 
of  data  and  the  amount  of  information  an  attacker  can  learn  about  the 
key. 

3.  An  extended  48-bit  IV  and  an  IV  sequence  counter,  called  the 
TKIP  sequence  counter  (TSC),  which  addresses  replay  attacks. 
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4.  Per  packet  key  mixing  of  the  IV  is  used  to  break  up  the  correlation 
used  by  weak  key  attacks  (Eaton,  2002). 


As  presented  in  the  above  list,  TKIP  uses  a  48-bit  IV  called  the  TSC.  By  using  a 
48-bit  TSC,  as  opposed  to  a  24-bit  IV,  the  probability  that  an  IV  will  be  used  more  than 

48 

once  in  a  single  association  is  almost  zero.  Since  the  TSC  is  updated  for  each  packet,  2 
packets  can  be  exchanged  using  a  single  temporal  key  before  a  key  would  need  to  be  used 
again.  Under  heavy,  steady  internet  traffic  loads,  the  requirement  to  reuse  a  key  would 
take  approximately  100  years  (Eaton,  2002). 


MSDU  Plaintext 


Figure  5.  TKIP  Encapsulation  Process  (Eaton,  2002) 

The  TSC  is  constructed  from  the  first  and  seconds  bytes  of  the  original  WEP  IV 

and  4  bytes  provided  in  the  extended  IV.  The  TKIP  encapsulation  process  is  shown  in 

Eigure  5.  The  temporal  and  MIC  keys  are  derived  from  the  PMK.  The  temporal  key, 

transmitter  address  and  TSC  are  combined  in  a  two-phase  key  mixing  function  to 

generate  a  per  packet  key  to  be  used  to  seed  the  WEP  engine  for  encryption.  The  per 

packet  key  is  128  bits  long  and  is  split  into  a  104-bit  RC4  key  and  a  24-bit  IV  for 
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presentation  to  the  WEP  engine.  The  MIC  is  ealeulated  using  the  souree  MAC  address, 
destination  MAC  address,  the  plaintext  data  of  the  802.1 1  frame,  the  MIC  key  and  the 
TSC.  By  eomputing  the  MIC  using  the  souree  and  destination  MAC  addresses,  the  data 
is  keyed  to  the  sender  and  the  reeeiver  whieh  aids  in  preventing  forgery  attaeks  (Eaton, 
2002). 

The  deeryption  proeess  is  basieally  the  same  as  the  eneryption  proeess  with  some 
exceptions.  After  the  recovery  of  the  TSC  from  the  received  frame,  the  TSC  is  compared 
to  the  previous  frame  received  to  see  if  the  most  recent  frame  has  a  greater  value.  If  the 
received  frame  does  not  have  a  greater  TSC  value,  the  frame  is  discarded  in  order  to 
prevent  a  replay  attack.  Also,  the  MIC  value  is  recalculated  at  the  receiving  node  and  is 
compared  to  the  decrypted  MIC  value  retrieved  from  the  received  frame.  If  these  values 
do  not  match,  then  countermeasures  are  taken,  which  primarily  consists  of  rekeying  the 
temporal  key  (Eaton,  2002). 

As  can  be  seen,  the  WPA  algorithm  provides  for  more  security  than  WEP. 
However,  much  like  WEP,  the  security  of  WPA  using  PSK  is  only  as  strong  as  the 
shared-key  used  by  the  AP  and  wireless  stations.  If  this  key  becomes  compromised,  all 
security  is  lost  and  can  only  be  regained  by  manually  inputting  new  keys  into  the  AP  and 
wireless  stations.  Now  that  the  basics  of  802.1 1  security  and  encryption  have  been 
defined,  the  next  step  is  to  discuss  the  architecture  of  the  actual  802.1 1  frame. 

The  802,11  Frame 

The  standard  802.1 1  frame  is  shown  in  Eigure  6.  The  numbers  above  the  fields 
are  the  length  of  the  field  in  bytes,  while  the  numbers  below  the  subfields  in  Eigure  7  are 
the  length  in  bits. 
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Octets:  2 

2 

6 

6 

6 

2 

6 

0-2312 

4 

Frame 

Control 

Duration/ 

ID 

Address  1 

Address  2 

Address  3 

Sequence 

Control 

Address  4 

Frame 

Body 

FCS 

Figure  6.  The  802.11  frame  (IEEE,  1999:34) 

The  first  part  of  the  data  frame  is  the  eontrol  field  and  is  shown  in  Figure 

7.  Some  of  the  more  important  subfields  in  the  control  field  are  as  follows: 


BO  B1B2 

B3B4 

B7 

B8 

B9 

B10 

Bit 

B12 

B13 

B14 

B15 

Protocol 

Version 

Typo 

Subtype 

To 

DS 

From 

DS 

More 

Frag 

Retry 

Pwr 

Mgt 

More 

Data 

WEP 

Order 

Bits.  2 

2 

4 

1 

1 

1 

1 

1 

1 

1 

1 

Figure  7.  The  Frame  Coutrol  Field  (IEEE,  1999:35) 

Type  and  Subtype  Subfields:  used  to  distinguish  the  association,  RTS, 


CTS,  ACK,  and  data  frames.  Table  3  shows  the  values  for  some  of  the 


frames  already  discussed. 


Table  3.  Type  aud  Suhtype  Comhiuatious 


Type 

Value 

Subtype 

Value 

Description 

00 

0000 

Association  Request 

00 

0001 

Association  Response 

01 

1011 

RTS 

01 

1100 

CTS 

01 

1101 

ACK 

10 

0000 

Data 

To/From  Subfields:  Used  to  define  the  meanings  of  the  different 
address  fields.  These  meanings  change  on  whether  ad  hoc  or 
infrastructure  modes  are  used.  In  infrastructure  mode  these  fields 
define  whether  an  AP  or  wireless  station  is  sending  the  frame  (Kurose, 
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2007:541).  Table  4  shows  the  different  to/from  combinations  and  their 


meanings. 


Table  4.  To/From  Subfield  Combinations 


To 

Value 

From 

Value 

Description 

0 

0 

Ad  hoc:  data  frame  sent  from  one 
wireless  station  to  another  wireless 
station 

1 

0 

Infrastructure:  data  frame  to  the  AP 
from  a  wireless  station 

0 

1 

Infrastructure:  data  frame  from  the 

AP  to  a  wireless  station 

1 

1 

Infrastructure:  data  frame  from  one 

AP  to  another  AP 

Wired  Equivalent  Privacy  (WEP)  Subfield:  When  set  to  1 ,  this 
subfield  indicates  that  the  data  has  been  processed  through  the  WEP 
algorithm  and  the  entire  frame  format  is  expanded  (IEEE,  1999:37). 

WEP  will  be  discussed  further  in  the  802.1 1  security  section. 

After  the  frame  control  field,  the  other  fields  of  the  802.1 1  frame  header  continue. 
The  more  important  fields  are  as  follows: 

Address  1  Field:  This  is  the  MAC  address  of  the  wireless  station  that  is  to 
receive  the  frame.  If  a  wireless  station  is  transmitting  to  an  AP,  the  AP  MAC 
address  would  be  in  address  1 . 

Address  2  Field:  This  is  the  MAC  address  of  the  wireless  station  that 
transmitted  the  frame.  If  a  wireless  station  is  transmitting  to  an  AP,  the  MAC 
address  of  the  wireless  station  would  be  in  address  2. 
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Frame  Body  Field:  This  field  contains  the  payload  of  the  frame,  typically  an 
IP  datagram  or  an  ARP  packet.  Although  the  payload  can  be  as  large  as  23 12 
bytes,  it  is  usually  less  than  1500  bytes. 

Frame  Check  Sequence  (FCS)  Field:  The  PCS,  also  known  as  the  CRC,  is 
used  by  the  receiver  to  detect  bit  errors  in  the  received  frame  and  is  computed 
over  the  entire  data  frame. 

The  802.1 1  frame  explained  in  the  previous  section  is  the  construction  that  can  be 
expected  for  unencrypted  data  frames.  When  WEP  or  WPA  security  protocols  are 
utilized  there  are  some  changes  that  occur  to  the  assembly  of  the  data  frame.  When  using 
the  WEP  protocol  for  encryption,  changes  occur  to  the  frame  body.  As  explained 
previously  in  the  WEP  protocol,  a  64-bit  key  is  used  to  encrypt  the  original  frame  body 
data  and  CRC  value.  This  64-bit  key  is  comprised  of  a  24-bit  IV  and  a  40-bit  or  104-bit 
pre-shared  key.  After  the  data  and  CRC  are  encrypted  they  are  placed  inside  the  frame 
body  and  appended  with  the  24-bit  IV  that  was  used  during  the  encryption  process. 


< - Encrypted  (Note) - ► 


IV 

Data 

ICV 

4 

(PDU) 

>=1 

4 

Sizes  in  Octets 

\ 

\ 


In  it.  Vector 

I  octet 

3 

Pad 

6  bits 

Key  ID 
2  bits 

NOTE  -  The  encypherment  process  has  expanded  the  original  Frame  Body  by  8  octets,  4  for  the  IV 
fidd  and  4  for  the  ICV.  The  ICV  is  calculated  on  the  data  field  only. 

Figure  8.  Construction  of  Expanded  WEP  Frame  Body  (IEEE,  1999:64) 
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Figure  8  shows  how  the  WEP  protoeol  ehanges  the  frame  body  of  the  802.1 1  data  frame. 
As  the  note  below  the  Figure  8  explains,  the  frame  body  transmitted  when  using  the  WEP 
protocol  for  encryption  expands  the  original  frame  body  data  by  8  bytes  (octets).  4  bytes 
are  for  the  IV  field  and  the  other  4  are  for  the  WEP  integrity  check  value  (ICV),  another 
CRC.  The  WEP  ICV  value  is  calculated  using  the  original  frame  body  data  and  is 
encrypted  with  the  data  where  as  the  ECS  field  is  calculated  using  the  entire  frame.  The 
4-byte  IV  field  is  composed  of  three  subfields.  The  first  3  bytes  are  the  24-bit  IV  that 
was  used  in  the  64-bit  key  to  encrypt  the  data.  The  last  byte  of  the  IV  field  contains  a  6- 
bit  pad  followed  by  a  2-bit  Key  ID  field.  The  Key  ID  field  identifies  1  of  4  possible  pre¬ 
shared  key  values  to  use  in  decrypting  the  frame  body  (IEEE,  1999:64-65). 

When  the  WPA  protocol  is  utilized,  changes  occur  to  the  frame  body  as  well.  As 
explained  previously,  the  TKIP  protocol  used  in  WPA  uses  an  extended  48-bit  IV  called 
the  TSC.  Also,  TKIP  uses  a  MIC  function  that  creates  the  8-byte  MIC  value  using  the 
source  MAC  address,  destination  MAC  address,  the  plaintext  data  of  the  802.1 1  frame, 
the  MIC  key  and  the  TSC.  The  assembly  of  the  frame  body  when  using  WPA  with  TKIP 
is  shown  in  Figure  9. 


- Encrypted - 


IV/  KeylD 

EKtanded  IV 

Data 

MIC 

ICV 

4  octets 

4  octets 

n  octets 

8  octets 

4  octets 

Figure  9.  Frame  Body  After  TKIP  encryption  (Eaton,  2002) 


When  compared  to  the  WEP  encrypted  802.1 1  frame  body,  the  WPA  frame  body 
increases  the  frame  body  by  12-bytes.  The  first  4  of  these  bytes  are  the  extended  IV 
which  is  used  in  conjunction  with  the  first  2  bytes  of  the  original  WEP  IV  to  create  the 
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48-bit  TSC.  The  other  8  bytes  are  the  MIC  value  that  is  enerypted  along  with  the  original 
frame  body  eontent  and  the  WEP  ICV.  By  using  WPA  eneryption,  the  total  inerease  of 
the  frame  body  from  the  unenerypted  frame  is  20-bytes  (Eaton,  2002). 
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III.  Attacking  the  Wi-Fi  Protocol 


Now  that  the  fundamentals  of  the  802.1 1  protocol  have  been  explained,  steps  will 
be  discussed  to  defeat  a  wireless  station  or  AP  that  is  utilizing  the  Wi-Fi  protocol.  This 
concept  of  operations  will  be  broken  down  into  three  sections;  detection,  denial,  and 
deception.  The  first  section  will  analyze  the  protocol  and  discuss  techniques  that  can  be 
used  to  detect  wireless  networks  that  are  located  near  a  location  and  to  then  determine  the 
AP  a  wireless  station  is  utilizing.  The  next  two  sections  will  discuss  how  to  defeat  an 
802.1 1  signal  once  the  network  has  been  detected.  The  first  technique  for  defeating  an 
802.1 1  wireless  network  will  analyze  techniques  for  denying  the  use  of  the  network. 
Denial  can  be  achieved  either  through  broad  area  denial  in  which  no  one  can  utilize  the 
network,  or  through  specific  network  denial,  which  would  deny  only  a  limited  number  of 
users  from  utilizing  the  network.  The  second  technique  for  defeating  an  802.1 1  wireless 
network  will  discuss  techniques  that  can  be  used  to  deceive  the  signals  transmitted  to  or 
received  from  the  wireless  station.  The  techniques  that  will  be  derived  in  the  following 
section  are  theoretical  with  no  actual  application.  When  available,  tools  that  are  currently 
available  to  apply  these  techniques  will  be  briefly  presented. 

Detecting  Unauthorized  Channels 

The  first  step  in  defeating  a  wireless  station  or  AP  that  is  utilizing  the  802.1 1 
protocol  is  to  detect  the  wireless  network  that  is  being  used.  The  majority  of 
commercially  available  equipment  on  the  market  today  (2008)  utilizes  either  the  802.1  lb 
or  802.1  Ig  standards,  with  802.1  Ig  being  the  newer  and  faster  of  the  standards.  Both  of 
these  standards  operate  in  the  2.4-2.485  GHz  range  and  operate  on  1  of  1 1  overlapping 
channels.  Since  there  are  only  1 1  possible  channels  that  an  802.1 1  wireless  station  or  AP 
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can  operate  on,  the  ability  to  deteet  Wi-Fi  wireless  signals  beeomes  simpler.  However, 
deteeting  a  specific  wireless  network  can  still  be  daunting  when  there  are  dozens  of  other 
wireless  networks  in  the  same  vieinity.  One  solution  is  to  proeedurally  control  and 
restrict  the  802.1 1  ehannels  that  ean  be  used  at  a  specific  location  to  one  or  two  ehannels. 
If  a  wireless  network  appears  that  is  utilizing  a  restrieted  ehannel,  that  wireless  network 
and  ehannel  ean  be  denied  without  affecting  legitimate  users.  However,  if  a  wireless 
network  utilizes  one  of  the  allowable  channels,  denying  the  channel  would  affeet 
legitimate  users.  Detecting  the  ehannel  that  the  wireless  network  is  utilizing  is  only  part 
of  solving  the  puzzle.  In  order  to  determine  a  speeific  wireless  network,  the  SSID  of  the 
network  needs  to  be  deteeted.  There  are  two  major  eategories  for  detecting  802. 1 1 
networks;  aetive  and  passive. 

Actively  Detecting  SSIDs 

When  aetively  seanning  for  Wi-Fi  wireless  networks,  a  wireless  station  broadeasts 
probe  request  frames.  The  APs  that  are  within  range  of  the  wireless  station  reeeive  the 
probe  request  frame  and  respond  with  a  probe  response  frame.  The  wireless  station  then 
decides  which  responding  AP  to  associate  with.  This  probe  request  frame  can  also  be 
used  to  seareh  for  a  network  with  a  speeific  SSID.  Tools  that  use  aetive  seanning  to 
deteet  Wi-Fi  networks  periodically  send  out  these  probe  response  frames  (Caehe, 
2007:92).  Windows  based  tools  that  use  active  scanning  are  NetStumbler  (Windows  XP 
and  earlier)  and  VistaStumbler  (for  Windows  Vista).  Figure  10  shows  a  sereen  shot  of 
VistaStumbler.  From  the  sereen  shot  it  can  be  seen  that  VistaStumbler  gathers  the  MAC 
address,  SSID,  wireless  channel  and  relative  signal  strength  of  each  AP  that  responds  to 
the  probe  request  frame  (Skoudis,  2006:243).  Also,  if  any  eneryption  is  used,  the 
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Figure  10.  VistaStumbler 

protocol  is  displayed.  Although  an  active  scanner  can  detect  many  Wi-Fi  networks,  the 


tool  can  only  detect  probe  response  frames  from  those  APs  that  are  configured  to  respond 


to  probe  request  frames.  These  active  scanners  are  unable  to  detect  APs  that  do  not 


respond  to  broadcast  probe  request  frames  or  any  other  Wi-Fi  traffic. 


Passively  Detecting  SSIDs 

To  detect  these  other  APs  or  any  other  wireless  traffic,  passive  scanning  tools  are 
used.  These  tools  typically  generate  better  results  than  active  scanning  tools.  These  tools 
do  not  transmit  any  packets  themselves  but  rather  listen  to  all  packets  and  then  analyze 
the  packets  to  detect  wireless  networks.  These  tools  require  that  a  wireless  network  card 
be  placed  into  monitor  mode,  which  is  similar  to  placing  an  Ethernet  card  into 
promiscuous  mode.  This  sounds  simple  enough,  however,  not  all  wireless  cards  support 
monitor  mode.  A  card  that  does  support  monitor  mode  simply  listens  to  all  the  frames 
that  it  can  detect,  analyzes  the  frames,  and  then  updates  the  user  interface  as  new 
information  is  determined  (Cache,  2007:95-96).  There  are  currently  no  passive  scanning 
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tooling  tools  that  are  Windows  based.  However,  two  Linux  based  passive  seanning  tools 
that  work  with  monitor  mode  capable  wireless  cards  are  Wellenreiter  and  Kismet.  These 
tools  can  detect  a  wireless  network  that  is  not  broadcasting  an  SSID  with  its  probe 
response  frame  by  listening  to  traffic  on  the  network.  If  traffic  is  idle  on  the  wireless 
network,  these  tools  can  detect  the  network  based  on  the  MAC  address  of  the  AP,  but 
cannot  determine  the  SSID  until  some  traffic  is  generated  on  the  network.  Figure  1 1 
shows  a  screenshot  of  Wellenreiter.  As  can  be  seen  from  the  screenshot,  Wellenreiter 


displays  the  channel,  SSID,  MAC  address,  and  if  WEP  encryption  is  used  or  not.  The 


only  disadvantage  these  passive  tools  have  when  compared  to  the  active  scanners  is  that 


any  encryption  level  above  WEP  is  not  identified. 
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Figure  11.  Wellenreiter  (freshmeat.net,  no  date) 
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Active  and  Passive  Detection  Combination 


Using  passive  and  active  scanning  tools,  nearly  all  of  the  wireless  networks  near  a 
location  can  be  detected.  The  only  Wi-Fi  networks  that  cannot  be  detected  are  those  that 
do  not  broadcast  their  SSID  in  the  probe  response  frames,  do  not  respond  to  broadcast 
probe  request  frames,  and  have  idle  or  very  minimal  traffic.  As  stated  earlier,  almost  all 
information  from  these  wireless  networks,  except  the  SSID,  can  be  determined  through 
passive  scanning  tools.  One  method  of  determining  the  SSID  is  to  wait  for  traffic  to  be 
generated  on  the  desired  network.  Another  technique  for  determining  an  idle  network 
SSID  is  by  forcing  deauthentication. 

In  order  for  this  technique  to  work,  the  MAC  address  of  the  desired 
non-broadcasting  wireless  network  needs  to  be  known.  This  information,  as  shown 
previously,  can  be  obtained  using  one  of  the  passive  scanning  tools.  Spoofing  the  MAC 
address  of  the  AP,  a  deauthenticate  message  is  sent  to  the  broadcast  address  of  the 
wireless  network.  The  deauthenitcate  message  is  a  type  of  control  message  and  is 
therefore  accepted  by  any  wireless  stations  currently  on  the  network  without 
authentication.  The  result  of  this  message  being  sent  is  that  any  wireless  stations 
currently  associated  with  the  spoofed  AP  are  disassociated  with  the  network.  After  the 
wireless  stations  are  disassociated,  they  will  automatically  try  to  reassociate  with  the  AP 
using  the  required  SSID.  These  association  frames  contain  the  SSID  in  clear  text  and  can 
now  be  detected  by  one  of  the  passive  scanning  tools.  By  forcing  deauthentication,  this 
technique  is  essentially  injecting  traffic  into  the  desired  wireless  network  (Skoudis, 
2006:247).  One  tool  that  is  commercially  available  that  performs  this  technique  is  a 
Linux  based  tool  called  Airjack.  By  using  this  tool,  in  conjunction  with  an  active  and 
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passive  scanning  tool,  all  802.1 1  wireless  networks  can  be  detected.  After  the  desired 
network  has  been  detected,  the  next  step  is  to  defeat  the  wireless  network. 

Defeat  through  Denial 

The  first  course  of  action  that  can  be  taken  to  defeat  a  desired  wireless  network  is 
through  Denial  of  Service  (DoS).  There  are  two  types  of  DoS  that  can  be  performed. 

The  first  type  will  be  called  broad  area  denial.  Broad  area  denial  techniques  affect  not 
only  the  desired  wireless  network  but  also  legitimate  wireless  networks  in  the  vicinity  of 
the  desired  wireless  network.  The  second  type  of  DoS  will  be  called  specific  network 
denial.  Specific  network  DoS  techniques  affect  only  the  desired  network. 

Broad  Area  Denial 

Noise  Jamming 

One  of  the  simplest  forms  of  broad  area  denial  techniques  is  noise  jamming  which 
is  an  active  jamming  technique.  First,  a  wireless  network  is  detected  and  the  802.1 1 
channel  of  the  network  is  determined.  An  RF  jamming  source  can  be  utilized  to  send  out 
a  powerful  signal  on  the  same  frequency  of  the  desired  network.  This  signal  contains  no 
information  but  only  noise.  The  jamming  signal  denies  the  use  of  the  frequency  since 
actual  signals  in  the  frequency  will  be  lost  in  the  background  noise  generated  by  the 
jamming  source.  The  first  disadvantage  of  performing  this  type  of  DoS  is  that  the 
frequency  being  jammed  becomes  unusable  by  all  wireless  networks,  not  just  the  desired 
network.  The  second  disadvantage  of  this  technique  is  that  active  noise  jamming  is 
typically  not  effective  against  wireless  networks  incorporating  spread  spectrum  and 
multiplexing  technologies.  A  discussion  of  these  technologies  is  beyond  the  scope  of  this 
project  however  all  that  needs  to  be  known  is  that  these  technologies  are  used  in  802. 1 1 
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wireless  networks  and  one  of  their  main  goals  is  to  minimize  interferenee  (noise)  from 
external  sourees  and  other  network  users. 

Cleared  to  Send  Control  Frames 

Another  broad  area  DoS  teehnique  involves  utilizing  the  802.1 1  infrastrueture  and 
protoeols.  Reeall  that  802.1 1  networks  have  to  deal  with  a  dilemma  called  the  hidden 
terminal  problem.  This  problem  occurs  when  two  wireless  stations  are  connected  to  an 
AP  and  they  are  unable  to  receive  each  other’s  signals.  Since  the  wireless  stations  cannot 
detect  each  other,  one  station  is  unable  to  detect  when  the  other  station  is  transmitting. 

The  portion  of  the  802.1 1  protocol  that  deals  with  this  problem  uses  RTS  and  CTS 
control  frames.  An  RTS  frame  is  sent  by  the  wireless  station  desiring  to  send  information 
and  the  CTS  frame  is  broadcast  by  the  AP  to  tell  other  wireless  stations  not  to  transmit 
during  a  specified  time  frame.  There  are  two  techniques  that  this  portion  of  the  protocol 
can  be  manipulated  in  order  to  perform  DoS  on  a  desired  network.  The  first  technique  is 
to  generate  an  RTS  frame  and  transmit  the  frame  to  the  AP  of  the  rogue  wireless  network. 
The  AP  will  receive  this  RTS  and  then  broadcast  a  CTS  frame  to  every  wireless  station  in 
the  vicinity  of  the  desired  AP,  not  just  the  wireless  stations  associated  with  the  AP.  The 
second  technique  is  to  self  generate  and  transmit  a  CTS  frame  by  spoofing  the  MAC 
address  of  the  desired  AP.  One  advantage  of  creating  and  transmitting  the  CTS  frame  is 
that  a  continuous  stream  of  CTS  frames  are  transmitted  that  can  bring  the  throughput  of 
the  network  down  to  almost  zero.  Another  advantage  of  this  technique  is  that  the  location 
of  the  AP  is  not  required  (Cache,  2007:195).  As  with  active  noise  jamming,  the 
disadvantage  of  RTS/CTS  spoofing  is  that  it  affects  all  wireless  stations  within  the 
vicinity  of  the  desired  network,  denying  legitimate  users  wireless  network  access.  As  can 
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be  seen,  these  teehniques  are  good  at  denying  a  wireless  network  from  operating  but  poor 
at  limiting  the  effects  to  a  single  network. 

Specific  Network  Denial 

In  order  to  have  a  DoS  effect  on  a  specific  network,  one  needs  to  become 
associated  with  the  network.  Associating  with  an  unsecured  wireless  network  is  quite 
simple  since  the  SSID  and  MAC  address  of  the  AP  are  all  that  are  required  to  either 
associate  with  the  AP  or  to  create  a  fake  AP.  When  encryption  is  used  the  process 
increases  in  difficulty  since  the  keys  used  by  the  encrypted  network  need  to  be  cracked. 
Once  the  keys  are  cracked,  associating  with  a  rogue  network  becomes  is  simplified. 

Associating  with  a  WEP  Secured  Network 

Recall  that  the  basic  encryption  scheme  that  is  utilized  in  the  802.1 1  protocol  is 
WEP.  The  inherent  flaw  with  WEP  is  how  the  I  Vs  are  used  in  each  encrypted  data 
frame.  When  the  WEP  protocol  is  used,  the  24-bit  IV  is  added  to  the  40-bit  or  104-bit 
pre-shared  secret  key  and  then  the  RC4  algorithm  is  used  for  encryption.  When  the 
encrypted  frame  is  transmitted  the  IV  is  located  before  the  encrypted  data  in  the  frame 
body  in  clear  text.  This  means  that  the  first  3  bytes  of  the  key  are  transmitted  in  the  clear 
and  viewable  by  anyone  who  can  intercept  the  data  frames  (Cache,  2007:180).  When 
properly  utilized,  the  RC4  algorithm  requires  that  the  same  64-bit  key  value  never  be 
reused.  With  WEP,  the  IV  is  only  24-bits  long,  which  translates  into  only  2  unique  keys 
that  can  be  used.  If  the  IVs  are  chosen  randomly  the  probability  of  having  chosen  the 
same  IV  value  is  more  than  99  percent  after  only  12,000  frames.  If  a  node  is  transmitting 
I  kilobyte  frames  at  a  transmission  rate  of  1  Mbps,  the  node  will  have  transmitted  12,000 
frames  within  a  few  seconds.  Anyone  viewing  the  transmitted  frames  can  easily 
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determine  when  a  duplieate  IV  oeeurs  (Kurose,  2007:734).  This  type  of  WEP  key 
cracking  is  called  a  statistical  attack.  In  order  to  quickly  break  a  WEP  key  around 
300,000  frames  would  be  required  for  a  40-bit  key,  and  almost  1,000,000  frames  for  a 
104-bit  key.  When  a  network  is  idle  or  has  very  sparse  traffic,  more  traffic  can  be 
generated  by  retransmitting  intercepted  frames  back  into  the  wireless  network.  Erames 
that  contain  address  resolution  protocol  (ARP)  requests  and  responses  are  optimal  for 
generating  more  network  traffic  because  these  frames  are  of  a  uniform  and  unique  size. 
If  there  are  very  few  nodes  on  a  network,  the  content  of  frames  containing  ARP  packets 
can  be  more  easily  deciphered  since  some  of  the  encrypted  content  is  already  known, 
such  as  the  sending  and  receiving  MAC  addresses. 

There  are  numerous  commercially  available  tools  that  can  decipher  WEP  keys, 
but  one  of  the  most  popular  tools  is  Aircrack.  This  tool  is  available  on  Einux  and 
Windows  based  systems,  but  operates  best  on  Einux  based  systems  (Cache,  2007:181). 
Other  tools  that  can  assist  Aircrack  in  decrypting  WEP  keys  are  Aireplay  and  Airodump. 
Aireplay  is  another  Einux  based  tool  that  is  used  to  inject  frames  into  the  network  to 
generate  more  frames  which  are  then  captured  using  Airodump  and  placed  into  a  capture 
file.  Aircrack  then  performs  the  statistical  analysis  attack  on  the  captured  frames  to 
statistically  determine  the  WEP  key.  Once  the  WEP  key  has  been  cracked  the  desired 
network  can  now  be  associated  with.  Now  that  the  techniques  for  cracking  a  WEP  key 
have  been  shown,  the  next  problem  is  dealing  with  a  wireless  network  that  uses  WPA 
encryption. 
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Associating  with  a  WPA  Secured  Network 

Recall  that  WPA  encryption  is  stronger  than  the  encryption  used  in  WEP. 
However,  much  like  cracking  a  WEP  key,  a  WPA  key  can  be  determined  by  capturing 
certain  frames  from  the  desired  WPA  encrypted  network.  These  specific  frames  are 
transmitted  during  the  WPA  authentication  process.  Eigure  12  shows  the  steps  of  a 
successful  four-way  handshake  with  an  AP  utilizing  WPA  encryption.  In  the  first  part  of 
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Figure  12.  WPA  4-way  Handshake 

the  authentication  process  the  client  and  the  AP  use  the  PSK  and  the  SSID  of  the  network 
to  compute  the  PMK.  Using  the  PMK,  the  client  (wireless  station)  communicates  with 
the  AP  using  a  protocol  to  create  a  new  Pairwise  Transient  Key  (PTK).  The  PTK  is 
created  dynamically  every  time  the  client  connects  to  the  AP  and  can  change  during  a 
connection.  The  PTK  is  created  through  a  function  using  the  PMK,  the  A-nonce  (an  AP 
produced  random  number),  the  S-nonce  (a  client  produced  random  number),  the  client 
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MAC  address,  and  the  AP  MAC  address.  The  AP  verifies  that  the  elient  has  the  eorrect 
PMK  by  eheeking  the  MIC  value  during  the  authentieation  proeess.  The  elient  also 
verifies  that  the  AP  has  the  eorrect  PMK  using  the  MIC  value.  The  numbers  that  are 
required  when  cracking  a  WPA  PSK  are  the  A-nonce,  S-nonce,  and  the  MIC  value.  Once 
these  numbers  are  captured,  in  addition  to  the  SSID,  cracking  of  the  PSK  can  commence. 
Unlike  cracking  WEP,  there  is  no  statistical  attack  on  WPA  keys  (Cache,  2007:205-206). 
To  crack  a  WPA  PSK  a  dictionary  attack  is  utilized.  A  dictionary  attack  is  a  brute  force 
attack  that  uses  a  list  of  words  that  are  fed  one  at  a  time  into  the  WPA  authentication 
algorithm  used  to  create  the  MIC  value.  If  the  calculated  MIC  value  matches  the 
captured  MIC  value  then  the  tested  word  is  the  PSK.  A  dictionary  attack  is  guaranteed 
successful  in  cracking  the  PSK.  However,  depending  on  the  complexity  of  the 
passphrase,  the  process  can  take  an  extraordinarily  long  time  to  complete. 

One  tool  that  is  used  to  crack  a  WPA  PSK  is  coWPAtty  (correct  spelling). 
Cowpatty  is  a  Linux  based  tool  that  performs  the  dictionary  attack  on  the  PSK  once  the 
required  information  is  captured.  This  tool  processes  approximately  30-60  words  per 
second,  which  appear  to  be  relatively  fast.  Processing  45  words  per  second  tests 
3,888,000  words  per  day.  This  number  seems  large,  but  there  are  208,827,064,576 
possible  ways  to  create  an  8-character  WPA  passphrase.  At  this  rate  cowpatty  would 
take  53,710  days  to  test  all  possible  8-character  WPA  passphrases  (Fogie,  2005).  This 
time  can  be  shortened  either  by  using  a  hardware  accelerated  version  of  Cowpatty, 
pre-creating  hash  tables  using  popular  SSIDs  (such  as  Linksys),  or  by  using  multiple 
computers,  each  processing  a  different  portion  of  the  dictionary  word  list.  Despite  the 
possibility  of  a  lengthy  computational  period,  a  WPA  PSK  dictionary  attack  can  crack  the 
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PSK  quickly,  considering  the  propensity  of  wireless  network  users  to  choose  weak 
passwords  to  enerypt  their  networks.  After  the  passphrases  and  keys  for  a  WEP  or  WPA 
enerypted  wireless  network  are  obtained,  the  ability  to  prosecute  a  DoS  against  a  speeific 
wireless  network  ean  oeeur. 

Creating  a  Fake  AP 

As  stated  earlier,  a  DoS  attack  against  a  specific  wireless  network  starts  by 
assoeiating  with  the  desired  network.  This  requires  the  SSID  of  the  network  and  the 
WEP/WPA  keys,  if  required.  Eising  this  information  and  then  transmitting  a  stronger 
signal  than  the  AP  of  the  desired  wireless  network,  a  fake  AP  ean  be  ereated.  The  first 
step  of  this  proeess  is  to  transmit  a  deauthentieation  eontrol  message.  Reeall  that  this 
message  disassoeiates  all  wireless  stations  from  the  network.  When  these  wireless 
stations  attempt  to  re-assoeiate  with  the  AP,  they  will  automatieally  eonneet  to  the  fake 
AP.  Then  the  frames  that  are  intercepted  are  simply  discarded.  As  long  as  the  fake  AP 
behaves  like  the  actual  AP,  the  wireless  stations  will  assume  that  their  transmitted  frames 
were  reeeived  and  forwarded.  This  teehnique  ean  be  effeetive  against  a  majority  of  the 
wireless  stations  assoeiated  with  a  network  by  using  an  omnidirectional  antenna.  This 
same  teehnique  ean  be  performed  against  a  single  wireless  station  by  utilizing  a 
directional  antenna.  Eising  either  type  of  antenna,  the  result  of  this  technique  is  that  only 
the  desired  wireless  network  is  affeeted.  EJsers  on  other  wireless  networks  are  able  to 
eontinue  operating  normally. 
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Defeat  through  Deception 

The  last  section  discussed  techniques  for  defeating  a  desired  wireless  network 
through  denial.  Some  denial  techniques  can  be  noisy  and  alert  the  operator  of  a  wireless 
network  that  the  network  is  operating  incorrectly  allowing  the  operator  to  reconfigure  the 
system  to  avoid  the  DoS.  In  some  instances  denial  may  be  the  only  avenue  for  defeating 
a  wireless  network,  such  as  heavily  secured  networks.  Another  course  of  action  is  to 
defeat  the  network  through  deception.  When  deceiving  a  wireless  network,  the  network 
seems  to  operate  normally  while  the  information  being  sent  across  the  network  is  being 
altered. 

ARP  Spoofing 

As  in  applying  denial  techniques,  the  first  step  in  deceiving  a  desired  wireless 
network  is  to  associate  with  the  network.  The  same  techniques  of  WEP/WPA  key 
cracking  that  were  presented  in  the  previous  section  are  also  applied  here.  Once 
associated  with  the  desired  network  a  technique  called  ARP  spoofing  is  utilized.  ARP 
packets  are  used  in  a  network  to  determine  the  MAC  address  of  a  receiving  node.  A  node 
that  has  a  frame  to  transmit  sends  out  an  ARP  query.  An  ARP  query  is  broadcast  to 
every  node  on  the  network  to  determine  which  node  on  the  network  has  a  specific  IP 
address.  When  receiving  an  ARP  query,  a  node  determines  if  it  has  the  requested  IP 
address.  If  the  node  has  the  desired  IP  address,  an  ARP  response  is  transmitted  back  to 
the  requesting  node  which  providing  the  MAC  address  of  the  requested  IP  address.  The 
requesting  node  now  knows  where  to  transmit  the  frame.  If  the  receiving  node  does  not 
have  the  desired  IP  address  then  the  node  does  nothing  and  the  query  is  ignored  (Kurose, 
2007:465-467). 
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After  associating  with  the  desired  network,  the  first  step  in  ARP  spoofing  is  to 
determine  the  AP  IP  and  MAC  addresses  and  the  desired  wireless  station  IP  and  MAC 
addresses.  These  are  determined  by  analyzing  intercepted  packets  from  the  network. 

The  next  step  is  to  transmit  gratuitous  ARP  reply  messages  into  the  network.  One  of  the 
ARP  reply  messages  is  transmitted  to  the  AP  stating  that  the  IP  address  of  the  wireless 
station  is  located  at  the  MAC  address  of  the  spoofing  wireless  station.  The  other  ARP 
reply  message  is  transmitted  to  the  wireless  station.  This  message  states  that  the  IP 
address  of  the  AP  is  located  at  the  MAC  address  of  the  spoofing  wireless  station.  These 
reply  messages  are  continually  transmitted  to  ensure  that  the  AP  and  wireless  station  keep 
mapping  the  other’s  IP  address  to  the  spoofing  wireless  station.  Now,  when  either  the  AP 
or  the  wireless  station  transmits  a  frame,  the  frame  will  be  transmitted  to  and  received  by 
the  spoofing  wireless  station.  The  spoofing  wireless  station  can  then  intercept  all  of  the 
frames  to  and  from  the  desired  wireless  station  and  then  forward  the  frames  to  the  correct 
locations.  ARP  spoofing  has  a  minimal  effect  on  the  operation  of  the  network  creating 
the  perception  that  the  network  is  operating  normally. 

Altering  Packet  Data 

When  ARP  spoofing  is  utilized,  intercepted  frames  are  not  only  able  to  be  viewed 
and  analyzed  by  a  third  party,  but  the  data  inside  the  frames  can  be  altered  as  well. 

Recall  that  the  payload  of  an  802.1 1  frame  is  typically  an  IP  datagram  or  an  ARP  packet. 
An  IP  datagram  carries  a  payload  of  data  which  is  typically  a  transport-layer  segment. 

The  transport-layer  segment  uses  one  of  two  transport  protocols,  TCP  or  UDP.  These 
transport-layer  segments  contain  the  application  layer  messages.  Application  layer 
messages  contain  the  data  that  two  applications  send  to  each  other  to  communicate,  such 
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as  e-mail,  web  site  eontent,  and  video  streams.  This  applieation  layer  message  is  the  data 
that  ean  be  changed  and  manipulated. 

With  ARP  spooling,  the  process  of  manipulating  data  within  a  data  frame  has 
three  general  steps.  First,  the  intercepted  frame  is  un-encapsulated.  This  step  is 
synonymous  to  peeling  away  the  layers  of  an  onion  to  get  to  the  application  message. 

The  layers  of  the  “onion”  surrounding  the  application  message  are  the  802.1 1  data  frame, 
the  IP  datagram,  and  the  TCP/UDP  segment.  These  layers  are  preserved  for  later  use. 
The  second  step  changes  or  manipulates  the  application  layer  message.  For  example, 
streaming  video  data  can  be  deleted  and  replaced  by  alternate  video  data  or  e-mail  text 
can  be  changed  or  replaced.  The  final  step  is  to  then  re- wrap  the  application  layer 
message  with  the  preserved  “onion”  layers  and  then  transmitted  the  frame  to  correct 
location.  Ideally,  the  host  receiving  the  application  message  is  unaware  that  the  data  is 
being  manipulated. 

This  process  has  been  greatly  simplified  and  in  reality  is  a  relatively  difficult  task. 
First,  the  entire  process  needs  to  occur  quickly  to  avoid  excessive  end  to  end  delays. 

Next,  although  the  layers  of  the  “onion”  are  preserved,  some  of  the  fields  in  each  of  the 
data  frame,  IP  datagram  and  transport-layer  segment  headers  will  need  to  be  recalculated 
such  as  the  CRC  values.  Assuming  this  portion  of  the  process  can  be  performed  quickly, 
the  linch-pin  of  the  entire  process  is  the  ability  to  insert  the  correct  format  of  the 
application  message.  This  format  could  be  ascertained  in  real-time  by  first  analyzing  the 
intercepted  packets  and  then  subsequently  manipulating  the  application  message.  If  this 
entire  process  creates  excessive  delays  or  if  the  application  message  format  cannot  be 
determined,  the  deception  of  the  network  can  revert  to  a  DoS  technique  by  discarding  the 
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captured  packets.  When  utilized  in  this  manner,  ARP  spooling  has  the  same  effect  as 
creating  a  fake  AP. 
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IV.  Summary 


The  purpose  of  this  project  was  to  present  techniques  for  defeating  802.1 1 
wireless  networks.  The  initial  section  discussed  some  of  the  portions  of  the  802. 1 1 
protocol.  After  discussing  the  protocol,  techniques  to  defeat  an  802.1 1  wireless  network 
were  presented.  The  first  step  in  defeating  a  network  is  to  detect  the  network.  Once  the 
desired  wireless  network  is  detected,  the  process  of  defeating  the  network  can  begin. 
Defeating  a  wireless  network  was  broken  down  into  two  sub-categories;  denial  and 
deception.  Denying  a  Wi-Fi  network  was  further  divided  into  two  types  of  denial;  broad 
area  denial  and  specific  network  denial.  Broad  area  denial  techniques  included  RF 
jamming  and  utilizing  the  RTS/CTS  802.1 1  protocol.  These  techniques  did  not  require 
an  association  with  the  desired  network.  Specific  network  denial  techniques  however,  do 
require  an  association  with  the  desired  network.  Association  with  a  network  could  be 
trivial  if  no  security  measures  are  utilized  and  increases  in  difficulty  with  the 
implementation  of  WEP  and  WPA  security.  Cracking  of  the  WEP  and  WPA  keys 
required  to  associate  with  a  network  may  be  time  intensive  requiring  a  broad  area  denial 
technique  to  defeat  the  network.  After  denial  techniques  were  discussed,  a  process  for 
defeating  a  wireless  network  using  deception  was  presented.  This  deception  process  was 
actually  a  manipulation  of  the  data  encapsulated  within  the  802.1 1  frame  rather  than 
deceiving  the  actual  signal. 

The  procedures  presented  in  this  project  for  detecting  and  defeating  802.1 1 
wireless  networks  can  be  applied  to  the  original  motivation  of  this  project;  defeating 
802.1 1  signals  used  to  control  UAVs.  There  are  a  number  of  tasks  that  need  to  be 
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completed  before  these  teehniques  ean  be  transformed  into  a  eoneise  eoneept  of 
operations.  First,  equipment  for  the  task  needs  to  be  researehed  and  purchased.  This 
equipment  ranges  from  eomputers  to  antenna  types.  In  eonjunetion  with  this  task,  the 
various  tools  available  that  perform  the  presented  teehniques  need  to  be  analyzed  and 
tested  for  funetionality  and  eompatibility  with  the  equipment.  Lastly,  although  many 
tools  exist  that  perform  the  teehniques  defined  in  this  projeet  there  are  some  teehniques 
whieh  require  the  development  of  tools  that  also  need  to  be  tested  for  funetionality  and 
eompatibility. 

This  projeet  was  by  no  means  an  exhaustive  presentation  of  defeating  802.1 1 
wireless  networks.  The  baekground  of  the  threat,  the  802.1 1  protoeol  and  the  teehniques 
presented  provide  additional  topies  to  researeh.  WiMAX,  3G  and  4G  eellular  data 
networks,  and  802.1  In  are  some  examples  of  emerging  wireless  teehnologies  that  eould 
be  utilized  to  eommunicate  with  a  UAV.  As  these  network  teehnologies  beeome  more 
widely  proliferated  the  ability  to  purehase  COTS  parts  beeomes  easier.  Also,  other 
portions  of  the  802.1 1  protoeol  eould  be  used  to  ereate  denial  effeets,  sueh  as  malformed 
frames,  turning  on  and  off  bits  in  the  frame  eontrol  field,  and  manipulating  the  802.1 1 
power  management  advaneed  feature.  As  with  any  teehnology,  onee  teehniques  are 
developed  that  deal  with  a  eertain  network  or  protoeol,  most  likely  a  newer  protoeol  or 
network  is  being  developed  whieh  will  require  new  researeh. 
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defeating  wireless  networks  utilizing  the  protocol  through  denial  or  deception.  The  first  set  of  techniques  presented  defeats  a  network  through  denial.  These 
denial  techniques  are  divided  into  two  categories:  broad  area  denial  techniques  and  specific  network  denial  techniques.  After  denial  techniques  are  discussed  a 
process  for  deceiving  an  802.1 1  wireless  network  is  presented. 
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